As the value of your bitcoins grows, so does your need for secure key storage. One such solution is a hardware wallet, a physical device that allows you to securely store the keys to your bitcoin. But hardware wallets aren't the only option for storing your bitcoin keys: there are also software wallets, paper wallets, and even “brain wallets.” So why specifically choose a hardware wallet?
1. Keep your keys offline, protected from remote attacks
bitcoin-magazine/?utm_campaign=btcmag-launch”>Hardware wallets allow you to generate and retain the keys to your bitcoins completely offline, known as cold storage. This is in contrast to hot wallets, which are more susceptible to remote attacks such as malware and SIM swapping attacks (even more secure than a custodian or exchange!).
You can think of this as similar to building a ship in a bottle. Your wallet seed, which is used to generate your bitcoin keys, is generated within the device and cannot be digitally exported. At no time do the keys leave the device. Even if a hardware wallet is connected to a virus-infected computer (which is not recommended), the keys would still be protected, often on a secure element.
When you want to move your bitcoins, you create a transaction using the wallet software, send it to the hardware wallet, and sign it. in the hardware wallet itself using your private keys and then send them back to the internet connected wallet software to be transmitted to the bitcoin network.
2. Protect against physical attacks
bitcoin-magazine/?utm_campaign=btcmag-launch”>If someone were to gain physical access to your hardware wallet, there are unique features that hardware wallets offer that will help defend against attacks. Some of these security features include a secure element, firmware verification, and PIN for first layer defense.
Safe elements
TO bitcoin-what-is-a-secure-element/?utm_campaign=btcmag-launch”>safe element is a microprocessor used to isolate, store and protect sensitive data. In a hardware wallet, a secure element provides a higher level of protection against physical compromises compared to the standard environment on a mobile phone, desktop or laptop. For example, this makes it more difficult to compromise your device through fault attacks, side channel attacks, and cold boot attacks.
Firmware verification
Firmware verification is a way to verify the validity of a hardware wallet's built-in software. This protects against counterfeit versions and supply chain attacks. Firmware verification ensures the use of a genuine, unaltered version of the hardware. Wallet software from manufacturers like Trezor, Ledger, and others check the device firmware every time you connect them to your PC.
Access PIN
Access PINs on many hardware wallets help prevent anyone other than the owner from gaining immediate access to the ability to sign with keys stored on the device. In most cases, the penalty for failing to enter your PIN correctly within a given number of attempts is an increasing delay between incorrect guesses. With some hardware wallets, exceeding the number of PIN attempts allowed can result in a factory reset of the device or even render it permanently unusable.
Duress PIN
A duress PIN is a security feature that can help protect your bitcoin in the event of a bitcoin/#wrench/?utm_campaign=btcmag-launch”>$5 Wrench Attack. Duress PINs are particularly important for hardware wallets (because they are used to protect larger amounts of bitcoins), and the functionality available is particularly robust in some cases.
For example, the Coldcard hardware wallet offers three types of duress PINs: one that unlocks a decoy wallet, another that destroys the seed upon entry, and another that creates a countdown for customizable “brick modes.” If you end up in a duress situation, these tools give you confidence that attackers won't be able to access your bitcoin primary keys, if they have them.
3. Provides a smaller attack surface
bitcoin-magazine/?utm_campaign=btcmag-launch”>It is possible to store your keys offline with a laptop or desktop computer and protect them from physical attacks. However, the general-purpose architectures of these devices present a larger attack surface for expert attackers. This means there are more ways for attackers to exploit software, firmware, and hardware to engineer ways to steal your private keys.
In contrast, hardware wallets are built with specialized hardware that simplifies their functionality to very specific tasks and limits their connectivity to the Internet and other devices. Even with a bitcoin-what-is-a-secure-element/?utm_campaign=btcmag-launch”>safe element To keep key data behind a firewall, some hardware wallets restrict how they physically connect to external devices: Air-gapped hardware wallets primarily interact with other devices via a microSD card. Many manufacturers also offer bitcoin-only firmware to further simplify functionality.
Hardware wallets may have more limited functionality and convenience than general-purpose devices, but that limited functionality also means limited vulnerability. This also has the added benefit of creating less risk of new holes being discovered that manufacturers must plug with firmware updates or hardware revisions.
4. Prepare for rising values
bitcoin-magazine/?utm_campaign=btcmag-launch”>You may think you don't own enough bitcoins to make it worth the effort of purchasing a hardware wallet and learning how to store your keys securely offline. One reason to purchase a hardware wallet now is to prepare for upward swings in the price of bitcoin.
It is common wisdom in bitcoin to treat your holdings as if they are worth 10 times what they are worth today; Historically, a move like this can happen quickly and unexpectedly. Additionally, if your bitcoin holdings would be uncomfortably large for standard single-signature self-custody with a 10x value increase, it may be time to consider a more secure self-custody model, such as multi-signature.
5. Confirm the addresses on the device
bitcoin-magazine/?utm_campaign=btcmag-launch”>Because bitcoin transactions are irreversible, it is important to make sure that when you send bitcoins it goes to the correct address. This is important both for sending bitcoins to another person and for sending bitcoins to a wallet controlled by the keys to hardware wallets you own.
With software wallets, malware could replace a real address with an attacker's address in the user interface, making it difficult to verify its authenticity. There is also “clipper” malware, which bitcoin/#:~:text=Clipper%20which%20changes%20a%20bitcoin%20address%20either%20before%20or%20after%20being%20copied%20into%20your%20computer%E2%80%99s%20clipboard%20from%20wallet%20software/?utm_campaign=btcmag-launch”>changes the receiving address on your computer clipboardand bitcoin/?utm_campaign=btcmag-launch”>other attack vectors.
Hardware wallets help with this by including a physical screen that shows the address you want to send funds to, allowing you to verify it before spending. As long as your device has not been physically compromised, you can be sure that the address shown to you is controlled by keys stored offline on the device. If you are sending funds to a remote recipient, it is best to confirm the address you are sending to through multiple channels.
6. An ideal environment to generate your own entropy
bitcoin-magazine/?utm_campaign=btcmag-launch”>All bitcoin wallets rely on entropy (randomness) to generate seeds, and seeds are the master secret that generates your bitcoin private keys. Entropy can be generated in many ways, from basic on-device random number generators to long strings of random text input, rolls of dice, or playing cards.
Dice rolls are widely considered one of the best ways to generate your own entropy, minimizing third-party involvement in generating the randomness needed to initialize a bitcoin wallet. Some hardware wallets, such as Coldcard, allow you to input dice rolls into the device to generate a seed phrase. You can press 1–6 for each roll and it will use the rolls to generate your seed.
While you don't need a hardware wallet to generate your own entropy (for example, you can do it on a permanently offline laptop), hardware wallets allow you to do it in a convenient and secure way. Generating your own entropy in the physical world can be fun and a great learning exercise, but it is meaningless without the right environment to help you preserve the marginal security you can gain by doing so.
7. Travel safer
bitcoin-magazine/?utm_campaign=btcmag-launch”>Traveling with small amounts of bitcoin can be easily done with a mobile phone or other less secure device, but larger amounts of bitcoin require more forethought. Traveling with keys on a laptop or mobile device is risky because these devices are typically hot (connected to the Internet), have more limited physical protections, and larger attack surfaces.
Hardware wallets offer convenience and security if you need to carry one or more bitcoin keys with you while traveling.
You don't have to worry about sketchy WiFi connections or USB ports, you can use duress features as described above if someone were to physically attack you, and you'll be better protected if your device is lost, stolen, or confiscated (attackers would). you have to defeat the specific security of the hardware wallet). And they still offer convenient access if you need to spend.
8. Improve the security of multi-signature configurations
bitcoin-magazine/?utm_campaign=btcmag-launch”>Multi-signature wallets are built by combining multiple keys (unlike single-signature wallets that use only one). Requiring more than one key to spend bitcoins adds security and redundancy to your wallet, making them useful for protecting larger amounts of bitcoins.
The more secure the individual keys involved in building a multi-signature wallet, the more secure the multi-signature wallet itself will be. Hardware wallets allow you to conveniently create a multi-signature wallet with keys clearly outlined and maintained securely offline. As with Singlesig, hardware wallets also allow you to verify multi-signature addresses offline when sending bitcoins.
Using multiple hardware wallets is a natural choice for multisig because it is often used to maximize security and redundancy for large amounts of cold storage bitcoins, a goal that physical devices and seed phrase backups It will also help you achieve it.
Get started with self-custody
The first step to improving the security of your bitcoins is to always adopt self-custody, whether hot or cold, to eliminate bitcoin-exchange-bankrupt/?utm_campaign=btcmag-launch”>the risk involved with trusted custodians, such as exchanges. From there, you can explore additional security tools, such as multi-signature, to find the right balance between security and accessibility for your circumstances.
Originally published in Unchained.com.
Unchained Capital is the official US collaborative custody partner of bitcoin Magazine and an integral sponsor of related content published through bitcoin Magazine. To learn more about services offered, custody products, and the relationship between Unchained and bitcoin Magazine, visit our website.